Data Processing Method and Device

ABSTRACT

The invention concerns a data processing method comprising a step (E 308 ) which consists in verifying a criterion indicative of the normal running of the method and a step (E 320 ) which consists in processing performed in case of negative verification. The processing step (E 230 ) is separated from the verifying step (E 308 ) by an intermediate step (E 312 , E 314 ) of non-null duration. The intermediate step (E 312 , E 314 ) and/or the processing step (E 320 ) includes at least one action (E 314 ) performed in case of positive verification. The invention also concerns a corresponding device.

DATA PROCESSING METHOD AND DEVICE

The present invention concerns a method of processing data, used forexample in a microcircuit card.

In certain contexts, one seeks to render secure the operation of dataprocessing apparatus. This is in particular the case in the field ofmonetics, in which an electronic entity (for example microcircuit card)carries information representing a pecuniary value and which cantherefore be modified only in accordance with a particular protocol. Itmay equally be a question of an electronic entity for identifying itscarrier, in which case operation must be rendered secure to prevent anyfalsification or abusive use.

One such electronic entity is for example a bank card, a telephone SIMcard (the acronym SIM stemming from the English Subscriber IdentityModule), an electronic passport, a secure module of the HSM type (fromthe English Hardware Security Module) such as a PCMCIA card of theIBM4758 type, without these examples being limiting.

In order to make operation more secure, one seeks to be protectedagainst the various types of attack that may be envisaged. One largecategory of attacks to be combated consists of attacks known as faultgeneration attacks, during which malicious persons seek to cause thedata processing apparatus to depart from its normal, and thus secure,operation.

To parry this kind of attack, the data processing methods commonly usedprovide steps for verification of the normal running of the method, withthe aim of detecting anomalies one possible origin whereof is a faultgeneration attack. If an anomaly is detected (i.e. if normal running isnot verified), the anomaly is processed immediately, and this isgenerally called security processing. This type of processing consistsin fact in a countermeasure intended to combat the attack, for exampleby prohibiting all subsequent operation of the data processingapparatus.

As indicated, the processing of the anomaly is usually thought of asfollowing on immediately from detection, since the fact of continuingthe processing in the presence of an anomaly clearly entails the risk offurther degrading the operation of the data processing apparatus andtherefore its security.

However, the inventor has noted that this ordinary thinking gives theattacker information as to the moment at which the anomaly is detected.In fact, the time of detection of the anomaly is in itself difficult toaccess from outside. It is nevertheless thought that the attacker, byobserving and analyzing the electrical consumption (or theelectromagnetic radiation) of the apparatus, can obtain access to thetime of implementation of the processing of the anomaly, for example inthe case where this processing consists in an action on an externaldevice. Since according to the ordinary thinking this processing followson immediately from the detection of the anomaly, the attacker coulddeduce relatively easily from this the time of detection of the anomaly.

Accordingly, because of the proximity of the detection of the anomalyand of the processing thereof in the usual systems, the attacker hasaccess to additional information on the operation of the data processingapparatus, which of course compromises making the method secure.

In order in particular to avoid this problem, and consequently toimprove further the security of the data processing methods, theinvention proposes a data processing method comprising a step ofverification of a criterion indicative of the normal running of themethod and a processing step effected in the case of negativeverification, wherein the processing step is separated from theverification step by an intermediate step of non-null duration.

A first action being effected in the case of positive verification, theintermediate step entails effecting at least one second action having atleast one first characteristic in common with the first action.

An attacker seeking to understand the operation of the method willtherefore have difficulties in distinguishing normal operation (positiveverification) from operation in the case of an anomaly (i.e. negativeverification).

The second action is different from the first action, for example. Thusthe second action may comprise fewer risks, or even no risk, to thesecurity of the system.

If a third action is effected in the case of positive verification, theprocessing step may entail effecting at least one fourth action havingat least one second characteristic in common with the third action.

Thus an attacker will not be able to distinguish between the modes ofoperation. He will therefore not be able to prevent the processing ofthe anomaly.

If the method is implemented in electronic apparatus, the first orsecond common characteristic is for example the electrical consumptionor the electromagnetic radiation of the apparatus generated by thefirst, respectively the third, action and by the second, respectivelythe fourth, action. Thus an attacker will not be able to distinguish thenormal mode of operation from the abnormal mode of operation byobservation of the electrical and/or electromagnetic behavior of theelectronic apparatus.

The first or second common characteristic may equally be the number ofinstructions used in the first, respectively the third, action and inthe second, respectively the fourth, action, which makes it impossibleto distinguish between the modes of operation by the duration of saidactions.

The first or second common characteristic may further be the type ofinstruction used by the first, respectively the third, action and by thesecond, respectively the fourth, action, which ensures great similarityin the electrical and/or electromagnetic signature of said actions.

The first or second common characteristic may also be the type of dataprocessed by the first, respectively the third, action and by thesecond, respectively the fourth, action, which also ensures suchsimilarity.

If the first, respectively the third, action entails access to a firstarea of a memory, the second, respectively the fourth, action may entailaccess to a second area of said memory different from the first area.The processing of the data therefore appears similar in both the modesof operation mentioned above although it is in fact effected indifferent contexts.

According to another possibility, the first or second commoncharacteristic is communication with an external device, which may befor example a cryptoprocessor, a memory (e.g. a rewritable semiconductormemory), or a user terminal. Communication with such external devices isin fact observed by attackers and this common characteristic istherefore particularly likely to lead them into error.

The first action may entail a secure step, for example a cryptographicalgorithm, which is thus protected against fault generation attacks.

The processing step entails for example writing blocking data into aphysical memory.

According to a particularly interesting possibility, the writing ofblocking data may be effected in accordance with a chronology identicalto writing data into the physical memory in the case of normal runningof the method.

In one embodiment, this data represents a pecuniary value. Thus anattacker will not be able to distinguish a priori between blocking ofthe apparatus and an operation on the value that it represents.

The criterion is negative for example if an erroneous signature isprovided or if an anomaly is detected.

The criterion may also be negative if an attack is detected. As has beenstated, the invention is of particular interest in this context.

The criterion may equally be negative if a functional error is detected.Such processing in the case of functional error is unusual but provesinteresting for enhancing the security of the system, in particularbecause such functional errors are very rare outside attack situationsand thus reflect the probable presence of an attack.

According to one possible feature, the intermediate step entails atleast one instruction determined during the execution of the method, forexample randomly. The understanding of the operation of the system bythe attacker is further complicated by this.

According to one possible embodiment, a microcircuit card comprises amicroprocessor and the method is executed by the microprocessor.

The invention also proposes a data processing device comprising meansfor verification of a criterion indicative of the normal operation ofthe device and processing means used in the case of negativeverification characterized by separation means for separating theoperation of the verification means from the operation of the processingmeans by a non-null duration.

According to one implementation possibility, first action means are usedin the case of positive verification and the separation means have atleast one first characteristic in common with the first action means.

According to another implementation possibility, second action means areused in the case of positive verification and the processing means haveat least one second characteristic in common with the second actionmeans.

This device is for example a microcircuit card.

The invention further proposes, in a manner that is novel in itself, amethod of processing data comprising a step of verification of acriterion indicative of the normal running of the method and aprocessing step effected in the case of negative verification,characterized in that, a first action being effected in the case ofpositive verification, the processing step entails effecting at leastone second action having a characteristic in common with the firstaction.

In this context, there may be provision for the second action to takeplace with a chronology identical to the first action in the case ofnormal running of the method.

Here the first action is for example writing data into a physical memoryand the second action is for example writing blocking data into thatphysical memory.

This method may moreover have the characteristics associated with themethod proposed hereinabove and the advantages that flow therefrom.Moreover, a device which comprises means for implementing the varioussteps of this method is proposed in the same line of thinking.

Other characteristics and advantages of the present invention willbecome more apparent on reading the following description, given withreference to the appended drawings, in which:

FIG. 1 represents diagrammatically the main elements of one possibleembodiment of a microcircuit card;

FIG. 2 represents the general physical appearance of the microcircuitcard from FIG. 1;

FIG. 3 represents a method implemented in accordance with a firstembodiment of the invention;

FIG. 4 represents a method implemented in accordance with a secondembodiment of the invention;

FIG. 5 represents a method implemented in accordance with a thirdembodiment of the invention.

The microcircuit card 10 the principal elements whereof are representedin FIG. 1 includes a microprocessor 2 connected on the one hand to arandom access memory (or RAM from the English Random Access Memory) 4and on the other hand to a rewritable semiconductor memory 6, forexample a read-only memory that can be erased and programmedelectrically (or EEPROM from the English Electrically ErasableProgrammable Read Only Memory). Alternatively, the rewritablesemiconductor memory 6 could be a flash memory.

The memories 4, 6 are each connected to the microprocessor 2 by a bus inFIG. 1; alternatively, there could be one common bus.

The microcircuit card 10 also includes an interface 8 for communicationwith a user terminal that here takes the form of contacts one of whichprovides a bidirectional link with the microprocessor 2, for example.The interface 8 thus enables bidirectional communication to be set upbetween the microprocessor 2 and the user terminal into which themicrocircuit card 10 will be inserted.

Thus, on insertion of the microcircuit card 10 into a user terminal, themicroprocessor 2 executes a method of operation of the microcircuit card10 in accordance with a set of instructions stored for example in aread-only memory (or ROM from the English Read-Only Memory)—not shown—orin the rewritable memory 6, which defines a computer program. Thismethod generally includes the exchange of data with the user terminalvia the interface 8 and the processing of data within the microcircuitcard 10, and precisely within the microprocessor 2, possibly using datastored in the rewritable memory 6 and data stored temporarily in therandom access memory 4.

Examples of such methods that use the invention are given hereinafterwith reference to FIGS. 3 to 5.

FIG. 2 represents the general physical appearance of the microcircuitcard 10 produced with the general shape of a rectangular parallelepipedof very small thickness.

The communication interface 8 provided with the contacts alreadymentioned is clearly apparent on the face of the microcircuit card 10visible in FIG. 2, in the form of a rectangle inscribed within the upperface of the microcircuit card 10.

FIG. 3 represents a method of reading in the rewritable memory 6 such asmay be used by the microcircuit card 10 shown in FIG. 1, for examplethanks to the execution of a computer program within the microprocessor2. This method is given as a first example of use of the invention.

Such a method is used for example if the data written in the rewritablememory (or EEPROM) 6 must be used by the microprocessor 2 during a dataprocessing operation; the data written in rewritable memory 6 is readbeforehand in order to be transferred into the random access memory 4 inwhich it can be easily manipulated.

As represented in the step E302 of FIG. 3, the method receives as inputthe address ADR at which it must effect the read operation in therewritable memory (or EEPROM) 6.

In the step E304, the method initializes to the value 0 an error flag S.

The variables being correctly initialized, there follow verificationsteps dedicated to ensuring safe operation of the system as is generallyrequired in the secure contexts of use of microcircuit cards.

Thus the step E306 proceeds to the verification of a checksum.Naturally, other verifications are possible but have not beenrepresented in FIG. 3 to clarify the explanation of the invention.

The step E306 of verification of a checksum consists in verifying thatthe data written in rewritable memory 6 is consistent with the checksum(sometimes designated by the Anglo-Saxon terminology “checksum”)associated with that data.

There is then an alternative in the step E308: if the checksum is noterroneous, i.e. the verification of the checksum is positive, normaloperation continues with the step E314 described hereinafter; if on theother hand an error is detected in the checksum, i.e. the step ofverification of the checksum gives a negative result, there follows thestep E310.

It may be noted that the presence of an erroneous checksum, although itindicates in all cases abnormal operation of the microcircuit card, mayhave diverse origins: it may be a question of a functional error (forexample an error in the content of the rewritable memory 6), but it mayequally be a question of the trace of a fault generation attack.

In the step E310, the error flag S is updated to the value 1 to indicatethat an anomaly has been detected.

There then follows the step E312 in which the read address ADR receivedas input to the method (see the step E302 described hereinabove) isreplaced by the address of a “bait-area” situated in the rewritablememory 6. The bait-area is a memory area a priori different from theaddress received in the step E302; it is for example an address at whichno reading should normally be effected in normal operation (i.e. duringthe normal and anomaly-free operation of the microcircuit card).

By way of example, these bait-areas may include data determined randomlyand/or data of the same structure as the data that was initially to beread at the address ADR received in the step E302.

Note that the step E312 that has just been described does not constitutea step of processing of the anomaly detected in the step E308: forexample, it is not a question of the transmission of a code relating tothe detected anomaly, the display of a message relating to that anomaly,or a countermeasure when it is considered that the anomaly stems from afault generation attack.

After the step E312 (effected like the step E310 only in the case ofabnormal operation of the microcircuit card, i.e. in the case ofnegative verification of normal operation in the step E306), therefollows the step E314 which, as indicated hereinabove, forms part of thenormal operation of the microcircuit card (in the case of positiveverification of the checksum as indicated with regard to the step E308).

The step E314 consists in transferring the data from the rewritablememory 6 to the random access memory 4 and therefore constitutes in thisregard the core of the FIG. 3 method, following the initialization andverification steps.

Precisely, the step E314 reads in the rewritable memory 6 at the addressspecified by the variable ADR previously mentioned and writes the datait has read in random access memory 4 in an area usually referred to asbuffer memory that is generally used to manipulate data.

It may be noted that, if the checksum has been verified positively inthe preceding steps, the variable ADR actually points to the address inrewritable memory 6 received as input, i.e. to the data that mustactually be read. On the other hand, if an erroneous checksum has beendetected (i.e. the verification was negative in the preceding steps),the variable ADR points to the bait-area defined in the step E312 withthe result that the step E314 will in fact transfer data from thebait-area into the buffer memory area in random access memory 4, and noteffect the reading operation required by the address received in thestep E302.

Accordingly, if an operating anomaly is detected by the negativeverification of the step E306, no access is effected to the rewritablememory 6 at the address provided in normal operation, at which isgenerally stored data that is relatively sensitive from the securitypoint of view. This gives protection against an attacker finding outthis sensitive data if the origin of the detected anomaly is a faultgeneration attack.

Furthermore, the step E314 being effected in normal operation as afterdetection of an operating anomaly (although with different data), it isvirtually impossible for an attacker to detect a departure from normaloperation, for example by current measurements.

After the step E314, the method proceeds to the step E316 in which theerror flag S is tested.

If the error flag S has the value 1, which corresponds to the situationin which the step E310 has been effected (i.e. the case of detection ofan anomaly by negative verification of the checksum in the step E306),there follows the step E320 in which the anomaly previously detected isprocessed, for example by writing blocking (or lock) data in therewritable memory 6.

Writing a lock in the rewritable memory 6 consists in writing certaindata into that memory 6 that will prevent any subsequent use of themicrocircuit card 10. For example, if the microcircuit card 10 issubsequently inserted into another user terminal, the microprocessor 2of the microcircuit card 10 will detect the presence of the blockingdata in the rewritable memory 6 and will not carry out any processing orexchange of information with the user terminal.

Writing a lock in the rewritable memory 6 constitutes a particularlyeffective countermeasure against a fault generation attack. This type ofprocessing of the detected anomaly is therefore of particular interestif this anomaly stems from a fault generation attack or in situationswhere security must be of such a level that any operating anomaly mustentail the blocking of the microcircuit card.

The countermeasure may equally consist in deleting confidential data,for example secret keys, from the rewritable memory 6.

Alternatively, the step of processing the anomaly could consist inupdating a flag (stored in random access memory 4 or in rewritablememory 6) representative of the anomaly detected during the FIG. 3method. This solution does not lead immediately to the blocking of themicrocircuit card, but keeps a trace of the presence of an operatinganomaly in order to analyze the problem encountered and whereappropriate then to proceed to blocking the card (for example if otherelements corroborate the hypothesis of a fault generation attack).

If the step E316 previously described indicates that the error flag Sdoes not have the value 1 (i.e. that the verification of the step E306was positive), the method continues its normal operation with the stepE318, in which the address of the buffer memory area in random accessmemory 4 previously mentioned is sent to the output in order to enableuse of the data read in the rewritable memory 6 in subsequent operationof the microcircuit card.

For example, if the method is a Read Record routine as defined by theISO 7816 standard, the content of the buffer memory area is sent in thesubsequent steps.

FIG. 4 shows a method of reading in rewritable memory 6 carried out inaccordance with a second embodiment of the invention.

This method is for example implemented by the execution of theinstructions of a computer program by the microprocessor 2.

As for the method of FIG. 3, the method described here receives asinput, in the step E402, the address ADR at which it must read data inthe rewritable memory 6.

There then follows in the step E404 a verification of the type of fileread. The step E404 may for example consist in reading in the rewritablememory 6 the header of the file designated by the address ADR andverifying that the data of that header corresponds to data indicative ofthe type that must be read using the method described here.

If the file type designated by the header does not correspond to thetype of file that must be read, there is a departure from the normalrunning of the method in the step E406 to go to the step E430 describedhereinafter. If on the other hand the file type is correct, the stepE406 leads to the step E408 of normal operation as now described.

In the step E408, it is verified that reading in the rewritable memory 6is authorized by comparing the necessary access rights specified in theheader of the file to those presented by the user, this informationbeing accessible in random access memory 4.

If reading in rewritable memory 6 is not authorized according to thedata read in random access memory, the verification of the possibilityof access to that memory 6 is negative and there then follows the stepE432 described hereinafter.

On the other hand, if it is determined in the step E410 that access tothe rewritable memory 6 is authorized, there follows the step E412 forthe continuation of normal operation of the microcircuit card.

The steps E404 to E410 therefore proceed to verifications of the normaloperation of the microcircuit card. Verifications other than those givenhere by way of example could naturally be carried out.

The step E412 already mentioned, which follows if the variousverifications relating to normal operation have been positive, consistsin reading the data stored at the address ADR in the rewritable memory 6in order to store it in random access memory 4 to use it subsequentlyduring data processing effected by the miropressor 2.

This step therefore brings about repeated access in read mode to therewritable memory 6 and repeated access in write mode to the randomaccess memory 4.

Once the transfer of data from the rewritable memory 6 to the randomaccess memory 4 is finished (either by reading a fixed number of bytesin rewritable memory 6 or by reading the precise number of bytes to readreceived for example as input in the step E402), there follows a stepE414 of verifying the accuracy of the read data. To do this, forexample, the data in the rewritable memory 6 is read again and that datais compared to the corresponding data previously stored in the randomaccess memory 4 in the step E412.

If an error is detected during the comparison, the step E434 describedhereinafter follows on from the step E416.

On the other hand, if all the data has been read correctly (i.e. thesecond reading in the rewritable memory 6 generates data identical tothat read during the step E412), the step E416 leads to the continuationof normal operation in the step E418 now described.

The step E418 consists in returning as output the address at which thedata read in the rewritable memory 6 is stored in random access memoryin order for the latter data to be available for the continuation of thenormal operation diagrammatically represented by the step E420 in FIG.4. When it is a question of a Read Record command defined by the ISO7816 standard, this step E420 consists for example in sending the datathat has been read.

In the situation where an erroneous file type has been detected in thestep E406, there follows in the manner previously indicated the stepE430 of updating an error report E so that the latter indicates an errorstemming from the file type.

The step E430 is followed by the step E450 in which a bait-area inrandom access memory 4 is read. The bait-area is for example a dedicatedarea, with no other use, that contains data dedicated to this use andthat is different here for example from the access rights relating tothe authorization to read in rewritable memory 6 mentioned in relationto the step E408.

There then follows the step E452 in which the data read in the step E450(i.e. the data read in the bait-area which can therefore be referred toas “bait-data”) is compared to the value 0.

It may be noted that the steps E450 and E452 have no functional role inthe operation of the card, i.e. neither the data that is processedtherein nor the result of the comparison that is effected has any impacton the other portions of the method.

Nevertheless, for an external observer such as an attacker who ismeasuring the current consumption of the microcircuit card, executingthese two steps is not distinguished from operations carried out duringthe normal operation step E408 described hereinabove. In fact, theoperations of the steps E408 and E410 that consisted in reading data inrandom access memory and comparison thereof have a signature similar tothe similar operations of reading in random access memory and comparisonwith the value 0 effected in the steps E450 and E452.

Thus, at this stage of the method, it is impossible for an attacker todetermine by means of observations conducted from the outside that ananomaly has been detected in the step E406.

The step E452 is followed by the step E454 that will be describedhereinafter.

In the same line of thinking as that which has just been described withregard to the detection of an erroneous file type, there follows asalready stated in the case of prohibition of access to rewritable memory(steps E408 and E410) a step E432 in which the error report E is updatedto indicate that the-error stems from a prohibition of reading therewritable memory 6.

The step E432 is also followed by the step E454 already mentioned andthat will now be described.

In the step E454, the method reads in a bait-area of the rewritablememory 6 and writes in a bait-area of the random access memory 4.

As indicated hereinabove, the bait-areas in the memories 4, 6 are areasof those memories in which data is written that has no particularfunction in normal operation. Access in read or in write mode to thesebait-areas nevertheless allows simulation, for an external observer ofthe running of the method, the steps carried out during normaloperation, for example in the step E412, without impacting on the dataused elsewhere by the method or on the security thereof.

The step E454 is followed by a step E456 of reading bait-areas in therandom access memory 4 and in the rewritable memory 6. As indicatedhereinabove, this access in read mode has no functional role in thenormal operation of the program (i.e. the data read in the bait-areas isnot used in other portions of the method). However, for an attacker whois attempting to discover the internal working of the method by means ofobservations (for example of the electrical consumption of themicroprocessor or the memories 4, 6), the steps E454 and E456 generatesignatures that are respectively similar to the signatures generated bythe steps E412 and E414 during normal operation.

Thus, at this stage of the method, it is impossible for an attacker, byexternal observation of the operation of the microcircuit card, todetermine if the method is effecting the steps E412 and E414 of normaloperation or the steps E454 or E456 subsequent to detection of anoperating anomaly (whether that be an anomaly caused by an erroneousfile type or a departure from normal operation through prohibition ofaccess to the rewritable memory 6).

Like the steps E450 and E452, the steps E454 and E456 are not steps ofprocessing the detected anomaly, since these steps work on bait-data,without seeking to remedy a functional error or to implement acountermeasure if the anomaly stems from a fault generation attack.

The step E456 is followed by the step E458 described hereinafter.

On the assumption mentioned hereinabove to the effect that theverification of the accuracy of the data read in the step E412 by thestep E414 is negative, the step E416 is followed by the step E434 ofupdating the error report E in order for the latter to indicate that theerror detected stems from an error in reading the rewritable memory 6.

The step E434 is then followed by the step E458 already mentioned andnow described.

The step E458 consists in sending the error report as determined duringa preceding step (i.e. during one of the steps E430, E432 and E434). Theerror code may be sent to another method (or another part-method)implemented in the microcircuit card. For example, if the methodrepresented in FIG. 4 represents a subroutine executed if the mainprogram managing the operation of the microcircuit card requires therewritable memory 6 to be read, the step E458 may consist in returningthe value of the error report to the main program.

Alternatively, the error report may be sent in the step E458 to the userterminal via the interface 8.

The method represented in FIG. 4 therefore has two main branches:

a first branch which corresponds to the normal running of the method(steps E402 to E420);

a second branch made up of steps at least some of which are effectedafter an anomaly has been detected (steps E450 to E458).

As has been seen, many steps of the first branch are simulated, in thecase of detection of an anomaly, by a corresponding step of the secondbranch. For this purpose, the corresponding step of the second branchuses an instruction of the same type as the corresponding step of thefirst branch, and where necessary uses a call with a device identical tothat used in the corresponding step of the first branch, to generate foran attacker the same signature, for example in terms of electricalconsumption or electromagnetic radiation.

FIG. 5 represents a method used in an electronic purse type microcircuitcard (sometimes designated by the English word purse) according to theteachings of a third embodiment of the invention.

This method is implemented for example by the execution of a programconsisting of instructions in the microprocessor 2 of the microcircuitcard.

FIG. 5 represents the main steps of the method used to credit theelectronic purse, i.e. to modify the data stored in the microcircuitcard that represents the value of the electronic purse in the sense ofan increase in that value.

This method therefore begins with the step E502, in which themicroprocessor 2 of the microcircuit card 10 receives from the user (viathe interface 8) a credit command code C, the amount M to be creditedand a signature S, as represented in the step E502.

As will be seen hereinafter, the signature S ensures that the useractually has an authorization to effect this credit; in fact, withoutthis precaution, anyone could command the increase in the value of theelectronic purse, which is obviously unacceptable.

The steps effected during normal operation of the electronic pursecrediting method are now described.

In the step E504, which follows the step E502 in normal operation, themicroprocessor commands the reading in the rewritable memory 6 of a keyK by specifying the storage address of this key in the rewritable memory6. The key K stored in the rewritable memory 6 is secret and istherefore not accessible from the outside.

The microprocessor 2 then proceeds to the step E506 of sending thesecret key K read in the rewritable memory 6 and the control code C to acryptoprocessor (not shown in FIG. 1). The cryptoprocessor effects acryptographic calculation on the basis of the data received (secret keyK, command code C) using conventional cryptographic algorithms, forexample the DES algorithm. More precisely, an algorithm is applied hereto the control code C using the secret key K in order to obtain acalculated signal S1.

The cryptoprocessor then returns to the microprocessor 2 the calculatedsignature S1 (step E508).

If the user who commands the execution of the method is effectivelyauthorized to effect the credit, he also knows the secret key K and cantherefore determine the signature S in exactly the same way as thecalculation that has just been effected to calculate the signature S1.

This is why in the step E the signature received from the user S iscompared to the signature S1 calculated on the basis of the secret key Kstored in the microcircuit card, which makes it possible to determine ifwriting the credit is authorized.

Accordingly, if the comparison between S and S1 is positive in the stepE510, there follows the step E512 in which the amount M to be credited,or alternatively the value of the electronic purse resulting from thatcredit, is written in the rewritable memory 6.

On the other hand, if it is determined in the step E510 that thesignature S received from the user does not correspond to the calculatedsignature S1, crediting the electronic purse cannot be authorized andthere then follows the step E514 in which the microprocessor 2 sends theuser terminal an error report.

There have just been described the main steps of a method of creditingan electronic purse. Naturally, to ensure secure working of this method,these main steps are separated by steps for verification of the normalrunning of the method, which by various tests detect functional errorson the one hand and attacks on the other hand, for example faultgeneration attacks.

In the case of detection of an attack, the microprocessor 2 carries outsteps different from those of normal operation, as now described.According to a variant that maybe compatible with what is describedhereinafter, the method may also use these different steps (or othersteps different from normal operation) if a functional error is detected(rather than an attack).

As represented in dashed line in FIG. 5, if an attack is detectedbetween the step E502 of receiving data and the step E504 of reading thesecret key K in the rewritable memory 6, there follows the step E520 inwhich data is read in the rewritable memory 6 at an address K′ thatconstitutes a bait-area corresponding to the area containing the secretkey K read in the step E504 during normal operation.

Accordingly, if an attacker generates a fault attack that is detected bythe microprocessor 2, there follows the step E520 whereof the electricalor electromagnetic signature (as observed by the attacker) is similar tothat of the step E504 effected in normal operation. The attackertherefore thinks that his attack has not been detected and that themicroprocessor 2 is actually reading the secret key K in the rewritablememory 6.

After the step E520, there follows the step E522. This step E522 alsofollows if an attack is detected by steps of verification of the normalrunning of the method situated between the steps E504 and E506previously described.

The step E522 consists in sending to the cryptoprocessor (previouslymentioned with regard to the steps E506 and E508) data C′ and K′ thatconstitutes bait-data. Thus the step E522 has no particular functionalrole, but simulates the step E506 for an attacker who is observing theoperation of the microcircuit card 10 by simply studying the electricalconsumption of or the electromagnetic radiation generated by the card.

If the step E522 is preceded by the step E520, the bait-data K′ may bethe data read during the step E520. Alternatively, it may bepredetermined data, and preferably data unrelated to the secureoperation of the microcircuit card 10.

As previously, the signature of the step E522 being similar to that ofthe step E506 effected in normal operation, an attacker is unaware whenthe step E522 is executed that his attack has in fact been detected.

The step E522 is followed by the step E524 described hereinafter.

As before, the steps E506 and E508 may be separated by steps ofverification of the normal operation of the method adapted to detect anattack, as represented in dashed line in FIG. 5. If an attack isdetected, the method also continues at the step E524.

The step E524 consists in receiving a signature calculated by thecryptoprocessor. As previously for the steps E520 and E522, the stepE524 simulates a step of normal operation (here the step E508) in orderto prevent an attacker detecting that his preceding attack has beendetected.

If the step E522 has previously been effected, the signature S1′ is forexample the signature calculated by the cryptoprocessor on the basis ofthe data C′ and K′ transmitted during the step E522. In this case, thecalculated signature S1′ has no functional role since it is based onbait-data.

When the method reaches the step E524 following the detection of anattack between the steps E506 and E508, the step E524 may for exampleconsist in actually receiving only a portion of the signature calculatedby the cryptoprocessor on the basis of the data C and K sent in the stepE506. The rest of the signature S′ is for example forced to apredetermined value, such that the result obtained (signature S1′) doesnot correspond to the signature S1 in order to preserve the security ofthe operation of the microcircuit card.

The step E524 is followed by the step E526 in which there is effectedfor example a comparison of the value S1′ that has just been determinedwith itself. As previously, this step has no functional role (since theresult of the comparison of a number with itself is obviously known inadvance), but simulates the step E510 for an attacker who is observingthe electrical and/or electromagnetic behavior of the microcircuit card10. In fact, the steps E526 and E510 using the same instruction, theyhave very similar electrical (and electromagnetic) signatures.

Thus, if an attack has been detected between the steps E502 and E508 ofnormal operation, normal operation has been interrupted (by the switchto the bait-steps E520 to E526) without this change being detectable byan attacker, however.

The step E526 is followed by the step E528 in which blocking (or lock)data is written in the rewritable memory 6.

As already mentioned with regard to the first embodiment described withreference to FIG. 3, writing blocking data in the rewritable memory 6prevents all subsequent use of the microcircuit card 10. It is thereforea particularly severe and effective countermeasure in response to thedetection of an attack.

Note further that the step E528 is executed at a time when normaloperation would have executed the step E512 of writing the amount inrewritable memory 6. Thus the step E528 is initially confused by theattacker with the step E512 of normal operation that has the sameelectrical and/or electromagnetic signature, in particular because thesteps E512 and E528 correspond to instructions of the same type thatboth effect a communication from the microprocessor 2 to the rewritablememory 6.

As clearly visible in FIG. 5, the step E512 and the preceding steps ofnormal operation each have a similar signature step executed in the caseof detection of an attack. In particular, the step E512 of writing theamount in the rewritable memory 6, which constitutes an important stepin the execution of the method, is associated with the step E528 ofwriting blocking data, which precisely constitutes the countermeasure inthe case of detection of an attack against this method.

Thus not only is an attacker unable to determine the detection of hisattack because of the steps E520 to E526 simulating normal operation,but the countermeasure (here the writing of blocking data) is alsoapplied with a chronology such that it is confused with a step of normaloperation having a similar electrical and/or electromagnetic signature.

The examples that have just been described are merely possibleembodiments of the invention.

1. Data processing method comprising: a step of verification of acriterion indicative of the normal running of the method; and aprocessing step (E528) effected in the case of negative verification,characterized in that, a first action (E512) being effected in the caseof positive verification, the processing step entails effecting at leastone second action (E528) having a first characteristic in common withthe first action (E512).
 2. Data processing method comprising: a step(E308; E406, E410, E416) of verification of a criterion indicative ofthe normal running of the method; and a processing step (E320; E458;E528) effected in the case of negative verification, wherein theprocessing step (E320; E458; E528) is separated from the verificationstep (E308; E406, E410, E416) by an intermediate step (E312, E314; E450,E452, E454, E456; E520, E522, E524, E526) of non-null duration,characterized in that, a first action (E314; E408, E412, E414; E504,E506, E508, E510) being effected in the case of positive verification,the intermediate step entails effecting at least one second action(E314; E450, E454, E456; E520, E522, E524, E528) having at least onefirst characteristic in common with the first action.
 3. Methodaccording to claim 1, wherein the second action is different from thefirst action.
 4. Method according to claim 2, wherein, a third action(E418; E512) being effected in the case of positive verification, theprocessing step entails effecting at least one fourth action (E458;E528) having at least one second characteristic in common with the thirdaction (E418; E512).
 5. Method according to claim 1, wherein, the methodbeing implemented in electronic apparatus (10), the first or secondcommon characteristic is the electrical consumption or theelectromagnetic radiation of the apparatus generated by the first,respectively the third, action and by the second, respectively thefourth, action.
 6. Method according to claim 1 any, wherein the first orsecond common characteristic is the number of instructions used in thefirst, respectively the third, action and in the second, respectivelythe fourth, action.
 7. Method according to claim 1, wherein the first orsecond common characteristic is the type of instruction used by thefirst, respectively the third, action and by the second, respectivelythe fourth, action.
 8. Method according to claim 1 wherein the first orsecond common characteristic is the type of data processed by the first,respectively the third, action and by the second, respectively thefourth, action.
 9. Method according to claim 1, wherein the first,respectively the third, action entailing access to a first area of amemory, the second, respectively the fourth, action entails access to asecond area of said memory different from the first area.
 10. Methodaccording to claim 1, wherein the first or second common characteristicis communication with an external device.
 11. Method according to claim10, wherein the external device is a cryptoprocessor.
 12. Methodaccording to claim 10, wherein the external device is a memory (2, 6).13. Method according to claim 10, wherein the external device is arewritable semiconductor memory (6).
 14. Method according to claim 10,wherein the external device is a user terminal.
 15. Method according toclaim 1, wherein the first action entails a secure step.
 16. Methodaccording to claim 15, wherein the secure step entails a cryptographicalgorithm.
 17. Method according to claim 1, wherein the processing step(E320, E528) entails writing blocking data into a physical memory (6).18. Method according to claim 17, wherein the writing (E528) of blockingdata is effected in accordance with a chronology identical to writing(E512) data into the physical memory (6) in the case of normal runningof the method.
 19. Method according to claim 18, wherein the datarepresents a pecuniary value.
 20. Method according to claim 1, whereinthe criterion is negative if an erroneous signature is provided. 21.Method according to claim 1, wherein the criterion is negative if ananomaly is detected.
 22. Method according to claim 1, wherein thecriterion is negative if an attack is detected.
 23. Method according toclaim 1, wherein the criterion is negative if a functional error isdetected.
 24. Method according to claim 2, wherein the intermediate stepentails at least one instruction determined during the execution of themethod.
 25. Method according to claim 1, executed by a microprocessor(2) of a microcircuit card (10).
 26. Data processing device comprising:means for verification of a criterion indicative of the normal operationof the device; processing means used in the case of negativeverification; and separation means for separating the operation of theverification means from the operation of the processing means by anon-null duration, characterized in that, first action means being usedin the case of positive verification, the separation means have at leastone first characteristic in common with the first action means. 27.Device according to claim 26, wherein, second action means being used inthe case of positive verification, the processing means have at leastone second characteristic in common with the second action means. 28.Data processing device comprising: means for verification of a criterionindicative of the normal operation of the device; and processing meansused in the case of negative verification, characterized in that, firstaction means being used in the case of positive verification, theprocessing means have at least one first characteristic in common withthe first action means.
 29. Device according to claim 26, the devicebeing a microcircuit card.